How to resolve DNS leak


2 min read

DNS, or the Domain Name System, is often referred to as the phonebook of the internet. It translates human-readable domain names (like into machine-readable IP addresses (like This system allows users to access websites by typing in easy-to-remember domain names instead of complex numerical IP addresses.

A default DNS server is provided by the user's Internet Service Provider (ISP), but the user can change the DNS server on the mobile phone or computer to other public DNS servers, such as, and provided by Cloudflare, Google and Quad9, respectively.

By default, DNS traffic is not encrypted. This means that third parties can see users' DNS queries, which include the domain names of the applications they are using. This can potentially expose users' browsing history and other sensitive information to ISPs, network administrators, or any eavesdroppers monitoring the network.

There are two main methods for encrypting DNS traffic: DNS over TLS (DoT) and DNS over HTTPS (DoH). Both methods use Transport Layer Security (TLS) to encrypt the data between the DNS client (such as a web browser) and the DNS resolver (the server that translates domain names into IP addresses).

A list of publicly available DoH servers

Today, browsers such as Google Chrome and Firefox enable DNS over HTTPS (DoH) by default. Both iOS and Android support DoH but require further configuration, and Windows does not natively support DoH.

You can use Cloudflare's cloudflared client to proxy DoH locally(assuming your IP address is ).

cloudflared proxy-dns --address --port 53 --upstream
Adding DNS upstream url=
Starting metrics server on
Starting DNS over HTTPS proxy server address=dns://

Now other users on the same local network can configure their DNS server to , and all their DNS traffic will be proxy through DoH to

VPN users may think they are safe but that's not always true, this can happen if the VPN is configured to only route certain traffic through the VPN tunnel. In some system an application can also bypass the VPN by modifying the system route table. You can perform DNS leak tests using online tools like to ensure that the VPN is functioning correctly.